Slashdot Mirror
Will Your CD Player Tell on You?
An anonymous reader writes "Ever feel like not being a marketing statistic? Well just by playing certain store-bought compact discs in your home or office computer, your new music disc may be transmitting your listening habits in real time to the respective record company...." Charming. Read on for more...
Anonymous Continues: "A company by the name of Bandlink is providing technology to record companies that allows a cd played in a personal computer to contact their server and relate statistics such as what track you're listening to and when you're listening to them. This information is then compiled into customizable reports that allow the record company to develop "User Profiles". There are benefits listed for the consumer such as cd-specific chatrooms, concert information, etc but the question remains: What's your price for privacy? The only indication that the cd you're purchasing is Bandlink "enabled/disabled" is a small logo on the packaging. There is no mention of a opt in/opt out agreement when the cd is inserted on the website and none was displayed in a personal demonstration.
Favorite quote from their website: "Virtually any information you want to know about your fan or the quality of your release can be obtained.""
I use Tiny Personal Firewall 2.0 to stop this sort of crap under Windows. It'll block any application from 'reporting' back home via the internet. It's a pro at keeping apps like Real Player or guys like this from tattling. It's not open source, but the 2.0 version was freeware. I'm not sure about the 4.0 version.
I strongly suspect that this won't even be an issue for most Linux users.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Is this USA only, or are these for sale in Canada or in Europe? Because if they are, Canada's PIPEDA and the EU DPD mean wake up and smell the lawsuits.
MHO. YMMV. Any resemblance between this post and real persons, or reality in general, was accidental.
Bandlink Support
Bandlink is designed to be run simply by inserting the CD into a Windows Compatible PC. The first time you insert the CD you will need to agree to the Bandlink User License and download the remaining program files. Bandlink should do the rest from then on.
As you can see, there's a consumer agreement component here. It's not an unimpeded, unstoppable invasion of privacy, like what TiVO was doing. You have to agree as well. In which case, if you don't really care about your privacy (and you like push content, which some people do) it might actually be seen as pretty cool.
Statistically speaking, there's a 99.998% chance that my IQ is higher than yours. Get over it.
Whilst that's something that iptables/chains just can't cope with (sadly) I have Norton Internet Firewall, for my remaining Windows PC, which is application based. ie, you can accept/deny any connection for each application. Its a great facility, one which I wish was available on Linux. There's nothing like knowing which applications are spying on you...
Of course, NIF is too complicated for your average Windows user, but ZoneAlarm has similar facilities, and is much easier to get to grips with.
Gawd, never thought that I'd be promoting a windows app...
So it's nothing more than some Auto-Run software. Which makes sense, I can't imagine any other way a CD would just magically contact a remote host.
Solution? Disable auto-run (which I do anyway), or in this particular case, don't accept the license agreement...
They also mention this a lot:
My first thought was that they could easily combine so-called "copy protection" with phoning-home, but at least with Bandlink this is not the case.
NGWave - Fast Sound Editor for Windows
"a) CDDB is now evil [slashdot.org]"
Even freedb? http://www.freedb.org/
"b) CDDB has a known IP, which can be allowed."
Good point.
BlackGriffen
grsecurity let's you limit network access to specific uid/gid's. You could in effect make programs setgid 'network' if you want them to be able to access the network and blanket deny the rest of the lot.
This is different becuase with WinAmp, you basically ask the software to retrieve the song name. If you don't want it to do that, you don't turn that feature on.
What Bandlink cds will (supposedly) do is tell the company what your listening to behind your back.
Well, according to their Web site, you still have to agree to something (EULA, probably) before it istalls the tracking software...
Absolutely nothing.
= Fo o&serialno=939848408930$userip=201.101.80.112
As a matter of fact, I've seen a few applications do just this to try to do 'instant' registration by using rundll32.exe to open a url that's a complex URL-encoded string with registration details.
Imagine a URL like:
http://www.company.com/registration.cgi?appname
etc...
The one that comes to mind is PowerDVD. I've seen it do this on a coworkers PC.
The solution to this is to deny your default browser's abilities to access the internet before installing a new app like this and then applying a deny rule against the IP or hostname it tries to access.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
I pop the CD in my box and play it. The CD is a "dead" media, it's not something that magically comes to life and starts transmitting information.
Seriously, how stupid can people be? Ok, so the CD will buffer-overflow my player, and figure out how to access the outside world by executing it's malicious (processor and OS independent) code... You know what? No it won't!
Shit like that doesn't just happen.
So maybe *some* people run a player that facilitates said information gathering and transmission - that's their problem. Get a life, get a real player, get a real OS.
But CD's magically coming to life and transmitting my listening habits (which I guess it stored in the big secret database facility on the moon, which is by the way run by aliens under contract with the government - which is again why they had to fake the moon landing, but that's another story) - no, please, just forget about it...
I use Linux at home and Solaris at work. Will this affect me? It sounds like it is entirely dependant on which CD-playing program you use. If that's right, then surely it won't affect many people?
Follow me
This software, if it is decently written, looks like it isn't nearly as bad as the article says it is. First, as many have pointed out, you don't have to install it. But notice what it does in addition to sending out your personal information: it lets artists give you access to bonus tracks, artwork related to the music, tour info (and discounts), contests etc etc. It lets you chat (and synch music) with people listening to the same thing, which, although I wouldn't do it, would be considered a perk by a lot of listeners out there.
Furthermore, their privacy policy says they will not hand out required personal info, but only aggregate info. They do say that they will use your personal info to "contact you about services in which you have expressed interest," which may or may not mean spam. Really, "expressed" should mean a check box, but you never know. It looks like a loophole though. And of course, the artists can require your personal info to log in to their sites, but you can just refuse to give it and not log in if you think that's a problem.
All in all, I the article is bullshit. If this system is what it says it is, it's just an above-average media player that comes with the CD (although possibly at the cost of, say, a quarter to the buyer). Nothing to bitch about, invoking "privacy" and all that. If you're a privacy zealot, firewall it. If not, there are still a zillion other programs that are more likely to spy on you.
I hereby place the above post in the public domain.
maybe you should download zone alarm, it's good for those who don't know too much about securing stuff ...
photoplankton
Just as an FYI re: one of your points, ZoneAlarm (at least) does checksum all the apps and compares them when they request a connection. If they've changed since you granted access, you are warned about it. So a malicous app would have to either magically hash down to the same checksum (unlikely!) or it would have to modify the database (hard, as it's protected) or modify the ZA checksum code (maybe easier). All in all, possible but not easy. I've never seen any mention of any app doing any of those things, the easiest is to simply invoke IE and have it make your connections for you!
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
...enough said.
-- Slashdot: When Public Access TV Says "No"
one of your points, ZoneAlarm (at least) does checksum all the apps and compares them when they request a connection.
Wow, I would have thought that that would have been prohibitively expensive performancewise, which is why I would assume that only a "trusted OS" would do that. Interesting. So I'd assume (since Google fails to turn up a detailed whitepaper on the first few hits) that ZA MD5s the binary at the first socket access the app tries during an invocation (it certainly can't be every time the app tries to do something, or performance would be completely unbearable).
But you really don't have to go to all this work. Copy (or contain) a copy of a trusted binary. Drop it into a directory somewhere. Drop a modified msvcrt.dll in the same directory, and let the program link to said DLL, and you've easily got untrusted code running within your "trusted" application.
Frankly, as long as the OS doesn't have pretty low level support for this, you're going to be able to bypass it.
I wonder what ZA could do to fix this? MD5summing linked to DLLs would be kind of expensive, and wouldn't work at all if there was application-initiated (rather than load-time OS-initiated) dynamic linking going on. I guess you could do that, take the performance hit...then ZA could hook LoadLibrary() and handle application-initiated linking....
Still, as you and I mentioned, the monolithic design of IE, providing application-level services and using components left and right, is pretty much an unstoppable impediment to securing a Windows-based system.
May we never see th
The company's privacy policy is listed on their site. From a quick read, the only thing that upsets me is that they pass along your info to the recording groups. It appears that only basic contact info is gathered and there is a fairly easy opt out approach. Of course, they can publish a rosy policy and blatantly ignore it.
From what I can tell, they are trying to impress recording labels with an avenue to add value to the CD. I read a lot of ranting about how the music industry is clueless and could leverage the Internet better. Maybe this is a positive more in that direction. It is hard to tell.
I'm a bit paranoid about it as well, but since I use Mac OS X I'll let the Windows people cut their teeth on this one.
-- Solaris Central - http://w
I bought Santana's Shaman last month and it has the wonderful tracking technology built in. I was curious as to what the "Bandlink" thing did when I bought the cd (never heard of it before). Luckily, I went to their website first and saw the usage statistics crap and decided against installing it.
... but I don't want to have to give up personal privacy for those extras. If I just had to install and register I wouldn't mind, tracking is going too far IMHO.
... for text file!.
I read part way through the EULA (which is apparently available on their website but I couldn't find it) but I didn't see anything about allowing them access to all information.
I support the idea of adding content to cd's to make them more attractive to purchase
Since I couldn't find the EULA online (as promised) i've taken the liberty of posting it online (hopefully its not illegal but oh well).
Its available here
It weighs in at a hefty 12.8kB
This list came from PeerGuardian's blocking list. I'm guessing the BSA IP block at the end. If you really want to keep from reporting data to said parties, just add these (and whatever other beneficiaries of your private data) to your iptables, ipfilter, ZoneAlarm, Tiny, etc. blocked zones. Note that, if for any reason, you want to go to these parties' websites, you won't be able to; your firewall will block access.
...but it just feels so good!
. 160.127.255
R anger:204.92.244.0-204.92.244.2551 92.0.0-65.192.0.255. 255.255e fender:66.79.0.0-66.79.255.255- 208.225.90.255
MPAA:63.199.57.96-63.199.57.1281 28-64.166.187.1925 51 28.0-207.155.255.2555 5.2552 7 .155.128.0-207.155.255.2559 .0-64.94.89.2553 5.247.255. 255I AA:208.192.0.0-208.192.255.2556 .32.50
Or, to be perfectly safe, you could borrow a page from our current administration's sex ed book and abstain from downloading.
OverPeer:65.174.255.255
OverPeer:65.160.0.0-65
Ranger:216.122.0.0-216.122.255.255
MediaForce:65.
MediaForce:65.223.0.0-65.223
MediaForce:4.43.96.0-4.43.96.255
MediaD
RIAA:208.225.90.0
RIAA:12.150.191.0-12.150.191.255
MPAA:64.166.187.
MPAA:198.70.114.0-198.70.114.2
MPAA:209.67.0.0-209.67.255.255
NetPD:207.155.
NetPD:128.241.0.0-128.241.2
UnknownC&DCop:64.106.170.128-64.106.170.19
BayTSP:209.204.128.0-209.204.191.255
Vidius:20
GAIN(spyware):64.94.8
GAINCME(spyware):66.35.247.0-66.
GAINCME(spyware):66.35.229.0-66.35.229
MediaDefender:64.225.292.0-64.225.292.127
R
Xupiter.com:63.23
Xupiter.com(mirror):63.208.235.30
BSA (?) 208.121.215.0-208.121.215.255 (Not sure)
Go to Options - Preferences - Setup. The last checkbox is "Allow Winamp to report basic, anonymous program usage information".
Most mp3 players have something like this, to a greater or lesser extent.
I'm also amazed that the allegedly technical slashdot audience has not yet figured out that in order for these "bandlink" CDs to work, the user would need to install special software on their machine. I mean, read the fucking site. These "bandlink" CDs don't do squat unless the user specially and deliberately installs the software.
It is very clear that this is not some sort of behind the seems privacy invasion but an above board trading of information for privacy. (Which, indeed, has issues of its own, but...) Other companies (Real, Musicmatch, etc.) do worse right now.
The cake is a pie
okay, so I was bored tonight...
It appears this software is from: Javakitty Media Inc. in Atlanta, GA.
The terms of usage clearly state the aggregation of information including machine specs, etc.
The 'blink.exe' program appears to use libexpat.dll for XML parse functionality and for chatting with users using Jabber.
Oddly enough, when the program starts it first tries port 80 (HTTP) on www.microsoft.com and if that fails, it tried www.amazon.com. I guess to verify a valid HTTP connection.
Then it sends XML info back to uma.javakitty.com:8080 with various user content and song info. It logs in with username 'jared' and a trivially encrypted passwd.
Finally, there appears to be some funky access with an MFC42 (ordinal 0x0219) call with a file 'C:\temp.dat' first with www.chironexsoftware.com and then with www.google.com.
But wait there's more...
the final twist is that chironexsoftware.com is registered to the author of this software...
Registrant:
jared allen
65 Koola st , wishart
Brisbane NA 4122
Brisbane, NA 4122
AU
33432174
I wonder if he's using this software to pump hits to google for his own website? Hmmm
Now, time to remove this crap from my computer....
Actually, InterActual has bettered its ways a lot with 2.04 (maybe earlier, haven't seen 2.01 to 2.03 myself) -- it is perfectly clear to anyone with half a brain now that the InterActual player is _only_ for the additional features.
It no longer by default takes over as your standard DVD player, and the uninstall now cleans up all its mess.
A huge step up from IAplayer 2.0 and PC Friendly.